January 20, 2019 - 235 Shares

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, downstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another (The tools are Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder & Comparer).

Key features unique to Burp Suite include:

Detailed analysis and rendering of requests and responses.

One-click transfer of interesting requests between tools.

Ability to “passively” spider an application in a non-intrusive manner, with all requests originating from the user’s browser.

January 20, 2019 - 235 Shares

Merry xmas everyone, here is the year end summary of retarded e-mails. We have had a splendid amount of retarded comments recently too and some decent e-mails too (but all asking the same thing “How do I start learning to be a hacker, what should I do, what should I read etc..I’ll write a post to address that some day).

This guy has some serious typo issues.

flavio wrote:
hi. i am writing you from mexico, i have been traying to buy a carding card to
use it in atm machine but nobody is serieus in my country are all a clounds, i
woul like to get in touch with some suplier to make buisness in my contryt . see
you soon

I wonder what very important details these are?

nellu wrote:
Do you know people or forums where i can sell very important details?

Huh?

Maria Pastrana wrote:
Hello,

We are a Spanish course deditated to distribution of software and tools. We
have a customer interested in VOIP, please send me a quote for 1 license VOIP
Infraestucture Security Testing Tools and let me know if we can have a discount
as a reseller.

This guy sounds angry.

Rhanz wrote:
can you guys hack this f*cking site ?
e-games.com.ph i need a ep hack on ran online

Tsk tsk, you probably got sacked for a reason – DEAL WITH IT.

biljana wrote:
Pls Ser, can u help me?
I resently lost my job and my former boss is IT engeneer. I want to revange
him and find the reason why I was realese from job. The answer is on his e-mail,
and I want to crack his username and password to find answers. Some friend told
me to use Goldeneye but no one knows how to us it. Can u help me use this
program, please.
Help me !

I get all kinds of monetary offers to do ‘hacking’ jobs too, some are quite substantial…but then it’s a distinctly Nigerian sounding name.

Denis Nwoke wrote:
I am not asking you how to hack. I am simply asking if you will hack. I need
hacking services performed. I am willing to compensate the person willing to do
these services to the tune of 10,000 pounds. Please reply if interested.

Yah right?!

Yeimy Garcia wrote:
need help with a email adress that was chared and my info was change by ex and i
have pictures and info that are very inportant to me.Please contact me asap tru
email or #317-640-2667

You want me to help you pirate stuff? Go out and rent it if you can’t afford to buy it you cheapskate.

Caleb Johnson wrote:
Hello, I’m about to start college in about two months, and im a avid p2p sharer
and I wondering, what all I could do to make my actions hidden and not tracked,
so I can keep dowloading from that drug addicted Hollywood lol. Thank You for
your insight, I don’t want to stop downloading free movies and music.
Thanks for your Response
Caleb Johnson

Needs a whack from the clue stick.

Nicky wrote:
hi,
i have downloaded some of your hacking software but would like to know how to
run it, i have downloaded
pof, jtr and cain. i have them but do not know how to run them, please help!!
nicky

This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server 2000 and 2005 versions. It seems pretty serious though as it also appears that this vulnerability if exploited properly could lead to remote code execution.

Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software. Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.

Again I wonder how far behind the curve Microsoft is with this? Usually these kind of bugs have been discovered by the more malicious parties way before Microsoft has any idea that their software is vulnerable.

It claims that the code hasn’t been used in online attacks, but honestly if it was used well by a smart party who would even know? SQL injection could lead to this attack being executed and the code is published online so I find it unlikely that it hasn’t been used.

The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.

This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”

The bug was discovered by someone in April this year, so that’s at least 7 months someone has known about it..but only know when the vendor discloses it then Microsoft chooses to say something about it.

It is a fairly low risk vulnerability due to the requirements needed to execute it effectively, but still it’s another chink in the Microsoft armour to add to the (long long) list.

January 20, 2019 - 235 Shares

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.